Computer networks are widely used in many businesses and even in many home settings. In a typical network architecture, many “peers” connect to the network. The network serves as a conduit of information to and from the peers, allowing the peers to exchange information with servers or other network resources or with other peers also connected to the network. For example, a traditional peer may be a desktop computer running the Windows® operating system to create a platform for application programs.
The peer includes a network interface card or other device allowing for a connection to the physical transport medium making up the network. Software added to the operating system, sometimes referred to as a “supplicant,” controls the transmission and receipt of datagrams over the physical network medium. The supplicant transmits and interprets datagrams received over the physical media according to a protocol recognized by other network elements, so that network communication is possible. The supplicant implements a transport mechanism and passes information representing a message within the datagram to application programs executing on the peer.
Unfortunately, the widespread use of computer networks has also led to widespread abuse of computer networks. Consequently, most networks include authentication features that block unauthorized access to the network by peers even if sending datagrams according to the network protocol. Traditionally, network authentication is managed by servers connected to access points, switches, RAS/VPN servers or other Network Access Servers (NAS) through which peers may connect to the network. As a peer attempts to connect to the network, these servers, sometimes referred to as RADIUS servers or IAS servers, authenticate the peer to determine whether network access should be granted. If the peer cannot be authenticated, datagrams sent by the peer are not passed through the server to the rest of the network. Likewise, information from the network is not passed on to the peer.
Different networks may be configured to incorporate different mechanisms to authenticate peers. Generally, authentication involves an exchange of datagrams between an authenticator program on the server and the supplicant on the client. The exchange may result in identifying information about the peer being provided to the authenticator software. Additionally, security information or user information may be provided by the supplicant to the authenticator program on the server. For example, the supplicant may prompt a user to enter a user name or password, which is then passed on to the authenticator software by the supplicant. The authentication can be bidirectional. For example, the server can be authenticated by the client as well as the client being authenticated by the server. This is important because it is possible for attackers to set up “fake” access points to which a client may connect. The fake access point allows a client to connect and then can take unauthorized actions. For example, the fake access point can steal the client identity/credentials, become a man-in-the-middle, etc. Certain EAP methods provide the ability for both sides, peer and authenticator, to authenticate each other and thereby avoid such malicious activity. Other types of security information are used in known networks. For example, codes read from smartcards, information from biometric sensors or certificates may all be provided by a supplicant to authenticator software on a server, depending on the specific authentication mechanism in use in the network.
Though many identification mechanisms are available, attempts have been made to standardize the peer authentication process. The Extensible Authentication Protocol (EAP) defined at RFC 3748 is one such effort to standardize the authentication process. Though standardized, the EAP is intended to be extensible—meaning that the EAP provides a framework for the authentication process. Within that framework, the content of the authentication information exchanged between supplicant and authenticator software may be defined by the network architect, allowing many authentication mechanisms to be employed.